Prime Numbers
.pdf240 |
Chapter 5 EXPONENTIAL FACTORING ALGORITHMS |
Allowing both +1 and −1 for the determinant does not give much more leeway than restricting to just +1. (For example, one can go from (a, b, c) to (a, −b, c) and to (c, b, a) via changes of variables with determinants −1, but these are easily recognized, and may be tacked on to a more complicated change of variables with determinant +1, so there is little loss of generality in just considering +1.) We shall say that two quadratic forms are equivalent if there is a change of variables as in (5.1) with determinant +1. Such a change of variables is called unimodular, and so two quadratic forms are called equivalent if you can go from one to the other by a unimodular change of variables.
Equivalence of quadratic forms is an “equivalence relation.” That is, each form (a, b, c) is equivalent to itself; if (a, b, c) is equivalent to (a , b , c ), then the reverse is true, and two forms equivalent to the same form are equivalent to each other. We leave the proofs of these simple facts as Exercise 5.10.
There remains the computational problem of deciding whether two given quadratic forms are equivalent. The discriminant of a form (a, b, c) is the integer b2 − 4ac. Equivalent forms have the same discriminant (see Exercise 5.12), so it is sometimes easy to see when two quadratic forms are not equivalent, namely this is so when their discriminants are unequal. However, the converse is not true. Witness the two forms x2 +xy+4y2 and 2x2 +xy+2y2. They both have discriminant −15, but the first can have the value 1 (when x = 1 and y = 0), while the second cannot. So the two forms are not equivalent.
If it is the case that in each equivalence class of binary quadratic forms there is one distinguished form, and if it is the case that it is easy to find this distinguished form, then it will be easy to tell whether two given forms are equivalent. Namely, find the distinguished forms equivalent to each, and if these distinguished forms are the same form, then the two given forms are equivalent, and conversely.
This is particularly easy to do in the case of binary quadratic forms of negative discriminant. In fact, the whole theory of binary quadratic forms bifurcates on the issue of the sign of the discriminant. Forms of positive discriminant can represent both positive and negative values, but this is not the case for forms of negative discriminant. (Forms with discriminant zero are trivial objects—studying them is essentially studying the sequence of squares.)
The theory of binary quadratic forms of positive discriminant is somewhat more di cult than the corresponding theory of negative-discriminant forms. There are interesting factorization algorithms connected with the positivediscriminant case, and also with the negative-discriminant case. In the interests of brevity, we shall mainly consider the easier case of negative discriminants, and refer the reader to [Cohen 2000] for a description of algorithms involving quadratic forms of positive discriminant.
We make a further restriction. Since a binary quadratic form of negative discriminant does not represent both positive and negative numbers, we shall restrict attention to those forms that never represent negative numbers. If (a, b, c) is such a form, then (−a, −b, −c) never represents positive numbers,
5.6 Binary quadratic forms |
241 |
so our restriction is not so severe. Another way of putting these restrictions is to say we are only considering forms (a, b, c) with b2 − 4ac < 0 and a > 0. Note that these conditions then force c > 0.
We say that a form (a, b, c) of negative discriminant is reduced if
−a < b ≤ a < c or 0 ≤ b ≤ a = c. |
(5.2) |
Theorem 5.6.1 (Gauss). No two di erent reduced forms of negative discriminant are equivalent, and every form (a, b, c) of negative discriminant with a > 0 is equivalent to some reduced form.
Thus, Theorem 5.6.1 provides the mechanism for establishing a distinguished form in each equivalence class; namely, the reduced forms serve this purpose. For a proof of the theorem, see, for example, [Rose 1988].
We now discuss how to find the reduced form equivalent to a given form, and for this task there is a very simple algorithm due to Gauss.
Algorithm 5.6.2 (Reduction for negative discriminant). We are given a quadratic form (A, B, C), where A, B, C are integers with B2 − 4AC < 0, A > 0. This algorithm constructs a reduced quadratic form equivalent to (A, B, C).
1. [Replacement loop] |
|
while(A > C or B > A or B ≤ −A) { |
|
if(A > C) (A, B, C) = (C, −B, A); |
// ‘Type (1)’ move. |
if(A ≤ C and (B > A or B ≤ −A)) { |
|
Find B , C such that the three conditions: |
|
−A < B ≤ A, |
|
B ≡ B (mod 2A), |
|
B 2 − 4AC = B2 − 4AC |
|
hold; |
|
(A, B, C) = (A, B , C ); |
// ‘Type (2)’ move. |
} |
|
} |
|
2. [Final adjustment]
if(A == C and −A < B < 0) (A, B, C) = (A, −B, C); return (A, B, C);
Moves of type (2) leave the initial coordinate A unchanged, while a move of type (1) reduces it. So there can be at most finitely many type (1) moves. Further, we never do two type (2) moves in a row. Thus the algorithm terminates for each input. We leave it for Exercise 5.13 to show that the output is equivalent to the initial form. (This then shows that every form with negative discriminant and positive initial coordinate is equivalent to a reduced form, which is half of Theorem 5.6.1.)
242 |
Chapter 5 EXPONENTIAL FACTORING ALGORITHMS |
5.6.2Factoring with quadratic form representations
An old factoring strategy going back to Fermat is to try to represent n in two intrinsically di erent ways by the quadratic form (1, 0, 1). That is, one tries to find two di erent ways to write n as a sum of two squares. For example, we have 65 = 82 + 12 = 72 + 42. Then the gcd of (8 · 4 − 1 · 7) and 65 is the proper factor 5. In general, if
n = x21 + y12 = x22 + y22, x1 ≥ y1 ≥ 0, x2 ≥ y2 ≥ 0, x1 > x2,
then 1 < gcd(x1y2−y1x2, n) < n. Indeed, let A = x1y2−y1x2, B = x1y2+y1x2. It will su ce to show that
|
|
AB ≡ 0 (mod n), |
1 < A ≤ B < n. |
|
||
The first follows from y2 |
x2 (mod n) for i = 1, 2, since AB = x2y2 |
− |
||||
2 2 |
2 2 |
2 2 |
i |
≡ − i |
1 2 |
|
y1 x2 |
≡ −x1x2 |
+ x1x2 |
≡ 0 (mod n). It is obvious that A ≤ B. To see |
|||
that A > 1, note that y1x2 < y2x2 < y2x1. To see that B < n, note that uv ≤ 12 u2 + 12 v2 for positive numbers u, v, with equality if and only if u = v. Then, since x1 > y2, we have
B = x1y2 + y1x2 < 12 x21 + 12 y22 + 12 y12 + 12 x22 = 12 n + 12 n = n,
which completes the proof.
Two questions arise. Should we expect a composite number n to have two di erent representations as a sum of two squares? And if n does have two representations as a sum of two squares, should we expect to be able to find them easily? Unfortunately, the answer to both questions is in the negative. For the first question, it is a theorem that the set of numbers that can be represented as a sum of two squares in at least one way has asymptotic density zero. In fact, any number divisible by a prime p ≡ 3 (mod 4) to an odd exponent has no representation as a sum of two squares, and these numbers constitute almost all natural numbers (see Exercise 5.16). However, there still are plenty of numbers that can be represented as a sum of two squares; in fact, any number pq where p, q are primes that are 1 (mod 4) can indeed be represented as a sum of two squares in two ways. But we know no way to easily find these representations.
Despite these obstacles, people have tried to work with this idea to come up with a factorization strategy. We now describe an algorithm in [McKee
1996] that can factor n in O(n1/3+ ) operations, for each fixed > 0. |
ax2 + |
||||||||||
Observe that |
|
|
if (a, b, c) |
represents the positive integer n, |
say |
||||||
bxy + cy2 |
2= n, |
and if D = |
b2 |
− |
4ac is the discriminant of (a, b, c), then |
||||||
(2ax + by) |
|
2 |
|
|
|
2 |
− Dv |
2 |
≡ 0 |
||
− Dy |
|
= 4an. That is, we have a solution u, v to u |
|
|
|||||||
(mod 4n). Let |
|
|
|
|
|
|
|
|
|
|
|
S(D, n) = (u, v) : u2 − Dv2 ≡ 0 (mod 4n) ,
so that the above observation gives a mapping from representations of n by forms of discriminant D into S(D, n). It is straightforward to show that
5.6 Binary quadratic forms |
|
|
|
243 |
|||||
equivalent representations of n via (5.1) give pairs (u, v), (u , v ) in |
S |
(D, n) |
|||||||
|
|||||||||
with the property that uv ≡ u v (mod 2n) (see Exercise 5.18). |
|
|
|||||||
|
|
Fix now the numbers D, n with D < 0 and n not divisible by any prime up |
|||||||
to |
|
|
|
2 |
|
|
|
||
|D|. If h is a solution to h |
≡ D (mod 4n), then the form (A, h, n), where |
||||||||
h |
2 |
|
|||||||
|
= D + 4An, represents n via x = 0, y = 1. This maps to the pair (h, 1) |
||||||||
in S(D, n). Suppose now we reduce (A, h, n), and (a, b, c) is the reduced form equivalent to it. Say the corresponding representation of n is given by x, y, and this maps to the pair (u, v) in S(D, n). Then from the above paragraph, we have u ≡ vh (mod 2n). Moreover, v is coprime to n. Indeed, if p is a prime that divides both v (= y) and n, then p also divides u = 2ax + by, so that p divides 2ax. But gcd(x, y) = 1, since a unimodular change of variables changed 0, 1 to x, y. So p divides 2a. But the form (a, b, c) is reduced, so that 0 < a ≤ |D|/3
(see Exercise 5.14). The assumption on n implies that p > |
|
D |
|
so that |
|
p cannot divide 2a after all. |
|
| |
| ≥ |
2, |
|
|
|
|
|||
Now suppose we have two solutions h1, h2 |
to h2 ≡ D (mod 4n) with |
||||
h1 ≡ ±h2 (mod n). As in the above paragraph, these |
solutions |
give rise |
|||
respectively to pairs (ui, vi) in S(D, n) with ui |
≡ vihi (mod 2n) and v1v2 |
||||
coprime to n. We claim, then, that |
|
|
|
|
|
1 < gcd(u1v2 − u2v1, n) < n.
Indeed, we have u21v22 − u22v12 ≡ Dv12v22 − Dv22v12 ≡ 0 (mod 4n), so it will su ce to show that u1v2 ≡ ±u2v1 (mod n). If u1v2 ≡ u2v1 (mod n), then
0 ≡ u1v2 − u2v1 ≡ v1h1v2 − v2h2v1 = v1v2(h1 − h2) (mod n),
so that h1 ≡ h2 (mod n), a contradiction. Similarly, if u1v2 ≡ −u2v1 (mod n), then we get h1 ≡ −h2 (mod n), again a contradiction.
We conclude that if there are two square roots h1, h2 of D modulo 4n such that h1 ≡ ±h2 (mod n), then there are two pairs (u1, v1), (u2, v2) as above, where gcd(u1v2 − u2v1, n) is a nontrivial factor of n.
McKee thus proposes to search for pairs (u, v) in S(D, n) to come up with two pairs (u1, v1), (u2, v2) as above. It is clear that we may restrict the search to pairs (u, v) with u ≥ 0, v ≥ 0.
Note that if (a, b, c) has negative discriminant D and if ax2 +bxy+cy2 = n,
then the corresponding pair (u, v) in S(D, n) satisfies u2 − Dv2 = 4an, so that |
|||||||||||||||||||||
√ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|u| ≤ 2 an. Further, if (a, b, c) is reduced, then 1 ≤ a ≤ |D|/3. McKee |
|||||||||||||||||||||
suggests we fix a choice for a with 1 |
≤ |
a |
|
|
|
|
|
then search for |
|||||||||||||
|
|
|
|
|
|
|
√ |
|
|
|
|
≤ |D|/3 and |
|||||||||
integers u with 0 |
|
u |
|
an |
and u2 |
|
|
4an (mod |
|
D ). For each such u, |
|||||||||||
≤ |
≤ |
2 |
|
|
|
≡ |
|
|
|
| |
| |
|
|
|
|||||||
check whether (u |
2 |
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
− 4an)/D is a square. If we know the prime factorization of |
||||||||||||||||||||
D, then we may quickly solve for the residue classes modulo |D| that u must |
||||||||||||||||||||
lie in; there are fewer than |D| |
of such classes. For each such residue class, our |
|||||||||||||||||||
search for u is in an arithmetic progression of at most 1 + 2√ |
|
|
|
|
||||||||||||||||
an/|D| terms. |
||||||||||||||||||||
So, for a given a, we must search over at most |D| +2√ |
an/|D|1− choices for u. |
|||||||||||||||||||
Summing this expression for a up to |
|
|
|
|
gives O( |
|
1/2+ +√ |
|
|
|
1/4− ). |
|||||||||
| |
D |
/3 |
D |
D |
||||||||||||||||
n/ |
||||||||||||||||||||
|
|
|
|
| |
|
|
2/3 |
| |
| |
| |
| |
|
||||||||
|
|
|
|
D about n |
|
, we will have an algorithm |
||||||||||||||
So if we can find a suitable D with |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
that takes at most O(n |
1/3+ |
|
| |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
) steps to factor n. |
|
|
|
|
|
|
|
|
|
|
|
||||||||
244 |
Chapter 5 EXPONENTIAL FACTORING ALGORITHMS |
|||||||||||
Such a2suitable |
2/3 |
|
2/3 |
|
1/2 |
0 |
|
|
|
|
|
|
|
|
√n |
− |
|
||||||||
|
D is found very easily. Take x |
= |
|
n2/3 , so that if |
||||||||
d = n − x0, then n |
|
≤ d < n |
|
+ 2n |
|
. We let D = −4d. Note that the |
||||||
quadratic form (1, 0, d) is already reduced, it represents n with x = x0, y = 1, and it gives rise to the pair (2x0, 1) in S(D, n). Thus, we get for free one of the two pairs we are looking for. Moreover, if n is divisible by at least 2 odd primes not dividing d, then there are two solutions h1, h2 to h2 ≡ D (mod 4n) with h1 ≡ ±h2 (mod n). So the above search will be successful in finding a second pair in S(D, n), which, together with the pair (2x0, 1), will be successful in splitting n.
The following algorithm summarizes the above discussion.
Algorithm 5.6.3 (McKee test). We are given an integer n > 1 that has no prime factors below 3n1/3. This algorithm decides whether n is prime or composite, the algorithm giving in the composite case the prime factorization of n. (Note that any nontrivial factorization must be the prime factorization, since each prime factor of n exceeds the cube root of n.)
1. [Square test]
If n is a square, say p2, return the factorization p · p;
//A number may be tested for squareness via Algorithm 9.2.11.
2.[Side factorization]
if (gcd(n, d) |
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
> 1) |
|
|
|
|
|
|
|
|
|
|
|
· |
|
|
|
|||
d = n − √n − n2/3 |
; |
// Thus, each prime factor of n is > 2√d. |
||||||||||||||||
|
|
|
return the factorization gcd(n, d) |
|
(n/ gcd(n, d)); |
|||||||||||||
By trial division, find the complete prime factorization of d; |
||||||||||||||||||
3. [Congruences] |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for(1 ≤ a ≤ 2 |
d/3 |
) { |
|
|
|
|
|
|
|
|
|
|
|
|
||||
Using the prime |
factorization of d and a method from Section 2.3.2 find |
|||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
the solutions u1, . . . , ut of the congruence u2 ≡ 4an (mod 4d); |
||||||||||||||||||
for(1 ≤ i ≤ t) { |
|
|
|
|
// If t = 0 this loop is not executed. |
|||||||||||||
For all integers u with |
0 ≤ u ≤ 2√ |
|
, u 2≡ ui (mod 4d), use |
|||||||||||||||
an |
||||||||||||||||||
Algorithm 9.2.11 to see |
whether (4an |
− |
u |
)/4d is a square; |
||||||||||||||
|
2 |
, and u |
|
|
|
|
|
|||||||||||
If such a square is found, say v |
|
≡ ±2x0v (mod 2n), goto |
||||||||||||||||
[gcd computation];
}
}
return “n is prime”;
4. [gcd computation]
g = gcd(2x0v − u, n);
return the factorization g · (n/g);
// The factorization is nontrivial and the factors are primes.
Theorem 5.6.4. Consider a procedure that on input of an integer n > 1 first removes from n any prime factor up to 3n1/3 (via trial division), and if this does not completely factor n, the unfactored portion is used as the input in Algorithm 5.6.3. In this way, the complete prime factorization of n
5.6 Binary quadratic forms |
245 |
is assembled. For each fixed > 0, the running time of this procedure to find the complete prime factorization of n is O(n1/3+ ).
For another McKee method of di erent complexity, see Exercise 5.21.
5.6.3Composition and the class group
Suppose D is a nonsquare integer, (a1, b, c1), (a2, b, c2) are quadratic forms of discriminant D, and suppose c1/a2 is an integer. Since the middle coe cients are equal, we have a1c1 = a2c2, so that c1/a2 = c2/a1. We claim that the product of a number represented by the first form and a number represented by the second form is a number represented by the form (a1a2, b, c1/a2). To see this assertion, it is su cient to verify the identity
a1x21 + bx1y1 + c1y12 a2x22 + bx2y2 + c2y22 = a1a2x23 + bx3y3 + (c1/a2)y32,
where
x3 = x1x2 − (c1/a2)y1y2, y3 = a1x1y2 + a2x2y1 + by1y2.
So in some sense, we can combine the two forms (a1, b, c1), (a2, b, c2) of discriminant D to get a third form (a1a2, b, c1/a2). Note that this third form is also of discriminant D. This is the start of the definition of composition of forms.
We say that a binary quadratic form (a, b, c) is primitive if gcd(a, b, c) = 1. Given an integer D that is not a square, but is 0 or 1 (mod 4), let C(D) denote the set of equivalence classes of primitive binary quadratic forms of discriminant D; where each class is the set of those forms equivalent to a given form. We shall use the notation a, b, c for the equivalence class containing the form (a, b, c).
Lemma 5.6.5. |
Suppose a1, b, c1 |
= A1, B, C1 |
A2, B, C2 |
C(D), and suppose |
that c1/a2, C1/A2 |
a1a2, b, c1/a2 = A1A2, B, C1/A2 . |
|
|
See [Rose 1988], for example.
C(D), a2, b, c2 = are integers. Then
Lemma 5.6.6. Suppose (a1, b1, c1), (a2, b2, c2) are primitive quadratic forms of discriminant D. Then there is a form (A1, B, C1) equivalent to (a1, b1, c1) and a form (A2, B, C2) equivalent to (a2, b2, c2) such that gcd(A1, A2) = 1.
Proof. |
We |
first |
show |
that there are |
coprime |
integers x1, y1 such that |
|||||||||||||||
a x2 |
+ b |
1 |
x |
1 |
y |
1 |
+ c |
1 |
y2 |
is coprime to a . Write a |
= m |
1 |
m |
2 |
m |
3 |
, where every |
||||
1 |
1 |
|
|
|
|
|
1 |
|
2 |
2 |
|
|
|
|
|||||||
prime that divides m1 also divides a1, but does not divide c1; every prime that divides m2 also divides c1, but does not divide a1; and every prime that divides m3 also divides gcd(a1, c1). Find integers u1, v1 such that u1m1 +v1m2m3 = 1, and let x1 = u1m1. Find integers u2, v2 such that u2m2 + v2m3x1 = 1, and let y1 = u2m2. Then x1, y1 have the desired properties.
Make the unimodular change of variables x = x1X − Y, y = y1X +v2m3Y . This changes (a1, b1, c1) to an equivalent form (A1, B1, C1), where A1 =
246 Chapter 5 EXPONENTIAL FACTORING ALGORITHMS
ax21 + b1x1y1 + c1y12 is coprime to a2. To bring B1 and b2 into agreement, find integers r, s such that rA1 + sa2 = 1, and let k = r(b2 − B1)/2. (Note that b2 and B1 have the same parity as D.) Set B = B1 +2kA1, so that B ≡ b2 (mod 2a2). Then (see Exercise 5.18) (A1, B1, C1) is equivalent to (A1, B, C1) for some integer C1, and (a2, b2, c2) is equivalent to (a2, B, C2) for some integer C2. Let A2 = a2, and we are done.
Given two primitive quadratic forms (a1, b1, c1), (a2, b2, c2) of discriminant D, let (A1, B, C1), (A2, B, C2) be the respectively equivalent forms given in Lemma 5.6.6. We define a certain operation like so:
a1, b1, c1 a2, b2, c2 = a3, b3, c3 ,
where a3 = A1A2, b3 = B, c3 = C1/A2. (Note that A1C1 = A2C2 and gcd(A1, A2) = 1 imply that C1/A2 is an integer.) Then Lemma 5.6.5 asserts that “ ” is a well-defined binary operation on C(D). This is the composition operation that we alluded to above. It is clearly commutative, and the proof that it is associative is completely straightforward. If D is even, then1, 0, D/4 acts as an identity for , while if D is odd, then 1, 1, (1−D)/4 acts as an identity. We denote this identity by 1D. Finally, if a, b, c is in C(D), then a, b, c c, b, a = 1D (see Exercise 5.20). We thus have that C(D) is an abelian group under . This is called the class group of primitive binary quadratic forms of discriminant D.
It is possible to trace through the above argument and come up with an algorithm for the composition of forms. Here is a relatively compact procedure: it may be found in [Shanks 1971] and in [Schoof 1982].
Algorithm 5.6.7 (Composition of forms). We are given two primitive quadratic forms (a1, b1, c1), (a2, b2, c2) of the same negative discriminant. This
algorithm computes |
integers |
|
a3, b3, c3 |
such |
that |
a1, b1, c1 a2, b2, c2 = |
||||||||||||||||
a3, b3, c3 . |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
1. |
[Extended Euclid operation] |
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
|
g = gcd(a1, a2, (b1 + b2)/2); |
|
|
|
|
|
|
|
|
|
|
|||||||||||
|
Find u, v, w such that ua1 + va2 + w(b1 + b2)/2 = g; |
|
|
|
||||||||||||||||||
2. |
[Final assignment] |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
Return the values: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
|
a |
|
= |
a1a2 |
, b |
|
= b |
|
+ 2 |
a2 |
|
b1 − b2 |
v |
|
c |
|
w , c = |
b32 − g |
. |
|||
|
|
|
|
|
g |
|
− |
|
|
|||||||||||||
|
|
3 |
|
g2 |
|
3 |
|
2 |
|
2 |
|
|
|
2 |
|
3 |
4a3 |
|||||
(To find the numbers g, u, v, w in Step [Extended Euclid operation] first use Algorithm 2.1.4 to find integers U, V with h = gcd(a1, a2) = U a1 + V a2, and then to find integers U , V with g = gcd(h, (b1 + b2)/2)) = U h + V (b1 + b2)/2. Then u = U U, v = U V, w = V .) We remark that even if (a1, b1, c1), (a2, b2, c2) are reduced, the form (a3, b3, c3) that is generated by the algorithm need not be reduced. One can follow Algorithm 5.6.7 with Algorithm 5.6.2 to get the reduced form in the class a3, b3, c3 .
5.6 Binary quadratic forms |
247 |
In the case that D < 0, Theorem 5.6.1 immediately implies that C(D) is a finite group. Indeed, each member of C(D) corresponds to a unique reduced
form (a, b, c) satisfying (5.2). Thus h(D), the order of C2(D), is equal to the |
||||||||||||||
number of coprime triples a, b, c |
|
satisfying (5.2) and b |
− 4ac = D. Using |
|||||||||||
b |
2 |
|
2 |
|
||||||||||
we have |
|
D = 4ac |
|
|
|
|
|
|
|
|
|
|
||
|b| ≤ a, 2 |
− |
|
2a |
− |
| |
≥ 4ac − a , and using a ≤ c, we have |
||||||||
we thus have h(D) ≤ |
| |
|
|
|
|
|
|
|
|
|||||
−D ≥ 3a . Thus, 0 < a ≤ |D|/3. Since c is determined once a, b are chosen, |
||||||||||||||
But we can do |
|
|
|
|
|
|
|
|
| | ≤ |
|
|D|/3 and b ≡ D |
|||
|
|
|
< 2 D /3. |
|
|
|
|
|
|
|
||||
|
better. Given an integer b with b |
at most the number |
||||||||||||
(mod 2), the number of choices of a that correspond to b is |
|
|
||||||||||||
of b2 |
|
|
|
|
|
|
|
|
|
|
o(1) |
as n → ∞, so |
||
of divisors 1/2+o−(1)D. But the number of divisors of n is n |
|
|
||||||||||||
h(D) ≤ |D| |
as D → −∞. |
|
|
|
|
|
|
|
|
|
|
|||
And we can do better still. The famous Dirichlet class number formula
(see [Davenport 1980]) asserts that for D < 0 and D ≡ 0 or 1 (mod 4), |
|
|
|
w |
|
h(D) = |
π L(1, χD) |D|, |
(5.3) |
where w = 3 if D = −3, w = 2 if D = −4, and w = 1 otherwise. The character χD is the Kronecker symbol (D/·). This is defined as follows: χD is completely multiplicative, χD(p) is the Legendre symbol (D/p) for p an odd prime, and χD(2) is 0 if D is even, is 1 if D ≡ 1 (mod 8), and is −1
if D ≡ 5 (mod 8). The |
|
L-function L(s, χD) is discussed in Section 1.4.3; |
||||||
showed that L(1, χD) < |
2 ln |D| + ln ln |D| + 1, |
π |
D |
| | |
||||
L(1, χD) is the value of |
the infinite series |
χD(n)/n. In 1918, I. Schur |
||||||
|
1 |
|
|
|
so that w L(1, χ |
|
) < ln D for |
|
D ≤ −4. Hence h(D) < |
|
|
|
ln |D| for these values of D. Since h(−3) = 1, |
||||
|
|D| |
|||||||
|
D = |
− |
3 as well; that is, it holds for all negative |
|||||
the inequality holds for |
|
|
|
|
||||
discriminants.
C. Siegel has shown that h(D) = |D|1/2+o(1) as D → −∞, but the proof is ine ective. That is, it is impossible to use the proof to give a bound, say, for the largest |D| with h(D) < 1000, though the theorem says such a bound exists. After work of D. Goldfeld, B. Gross, and D. Zagier, [Oesterl´ 1985] (also, see [Watkins 2004]) established the explicit inequality
h(D) > |
|
ln |D| |
|
1 − |
|
|
|
, |
|
|
|
||||||
7000 |
p |
p + |
1 |
|||||
1 |
|
|
|
2√p |
|
|||
|
|
|
|
|
|
|
|
|
where the product is over the primes that divide D and are smaller than|D|/4. Combining this with the result 2k−1|h(D), where k is the number of distinct odd prime factors of D (see Lemma 5.6.8), we get, for example, that h(D) > 1000 for −D > 101.3·1010 . Though almost surely very far from the truth, at least it is an explicit bound, something that cannot be obtained just with the Siegel theorem. Under an assumption of an unproved hypothesis that is weaker than the ERH, namely that the L-functions L(s, χ) never have a real zero greater than 1/2, [Tatuzawa 1951] gave an inequality that would imply that h(D) > 1000 for −D > 1.9 · 1011. Probably even this greatly lowered bound is about 100 times too high. It may well be possible to establish this remaining factor of 100 or so conditionally on the ERH.
248 |
Chapter 5 EXPONENTIAL FACTORING ALGORITHMS |
In a computational (and theoretical) tour de force, [Watkins 2004] shows unconditionally that h(D) > 100 for −D > 2384797.
The following formula for h(D) is attractive (but admittedly not very e cient when |D| is large) in that it replaces the infinite sum implicit in L(1, χD) with a finite sum. The formula is due to Dirichlet, see [Narkiewicz 1986]. For D < 0, D a fundamental discriminant (this means that either D ≡ 1 (mod 4) and D is squarefree or D ≡ 8 or 12 (mod 16) and D/4 is squarefree), we have
|D|
w
h(D) = D n=1 χD(n)n.
Though an appealing formula, such a summation with its |D| terms is suitable for the exact computation of h(D) only for small |D|, say |D| < 108. There are various ways to accelerate such a series; for example, in [Cohen 2000] one can find error-function summations of only O(|D|1/2) summands, and such formulae allow one easily to handle |D| ≈ 1016. Moreover, it can be shown that directly counting the primitive reduced forms (a, b, c) of negative discriminant D computes h(D) in O |D|1/2+ operations. And the Shanks baby-steps, giant-steps method reduces the exponent from 1/2 to 1/4. We revisit the complexity of computing h(D) in the next section.
5.6.4Ambiguous forms and factorization
It is not very hard to list all of the elements of the class group C(D) that are their own inverse. When D < 0, the reduced member of such a class is called an “ambiguous” form. They come in three types: (a, 0, c), (a, a, c), (a, b, a). These forms have an intimate relationship with factorizations of the discriminant into two coprime factors.
We state the classification, and leave the simple verification to the reader.
Lemma 5.6.8. Suppose D is a negative discriminant. If D is even, then the ambiguous forms of discriminant D include the forms (u, 0, v), where 0 < u ≤
|
|
|
= |
− |
D/4, with gcd(u, v) = |
|||
v, gcd(u, v) =11, and uv = −D/4. In addition, if uv 1 |
1 |
|
31 v. |
|||||
when 31 v ≤ u < v and the forms 2u, 2u, 21 (u + v) |
|
when 0 < u < |
||||||
1 or 2 |
and |
2 |
(u + v) odd, we have the forms 2 |
(u + v), v − u, 2 (u + v) |
||||
If1 D is |
1 |
|
1 |
|
|
1 |
|
|
|
odd, then the ambiguous forms of discriminant D are the forms |
|||||||
gcd(u, v) = |
1, and the forms u, u, 41 (u + v) , where |
|
D = uv, 0 < u |
≤ |
31 v, |
|||
4 (u + v), 2 |
(v |
− u), 4 (u + v) , where −D = uv with |
|
0 < 3 v ≤ u |
v, |
|||
gcd(u, v) = 1. |
|
− |
|
|
≤ |
|
||
Note that the form (1, 0, |D|/4) in the case that D is even, and the form (1, 1, (1 − D)/4) in the case that D is odd, are ambiguous. As we have seen in the previous section, each is, in its respective case, the reduced form in the class 1D. They correspond to the trivial factorization of D/4 or D where one factor is 1. Also, if D ≡ 12 (mod 16) and D ≤ −20, then the ambiguous form (2, 2, (4 − D)/8) corresponds to the trivial factorization of D/4. We also have the ambiguous forms (4, 4, 1− D/16) corresponding to the trivial factorization
5.6 Binary quadratic forms |
249 |
of D/4 when D ≡ 0 (mod 32) and D ≤ −64, and the form (3, 2, 3) with discriminant −32. However, every other ambiguous form gives rise, and arises from, a nontrivial factorization of D/4 or D. Suppose that D has k distinct odd prime factors. It follows from Lemma 5.6.8 that there are 2k−1 ambiguous forms of discriminant D, except for the cases D ≡ 12 (mod 16) and the cases D ≡ 0 (mod 32), when there are 2k and 2k+1 ambiguous forms, respectively.
Suppose now that n is a positive odd integer divisible by at least two distinct primes. If n ≡ 3 (mod 4), then D = −n is a discriminant, while if n ≡ 1 (mod 4), then D = −4n is a discriminant. If we can find any ambiguous form in the first case, other than (1, 1, (1 + n)/4), we will have a nontrivial factorization of n. And if we can find any ambiguous form in the second case, other than (1, 0, n) and (2, 2, (1 + n)/2), then we will have a nontrivial factorization of n. And in either case, if we find all of the ambiguous forms, we can use these to construct the complete prime factorization of n.
Thus, one can say that the search for nontrivial factorizations is really a search for ambiguous forms.
So, let us see how one might find an ambiguous form, given a negative discriminant D. Let h = h(D) denote the class number, that is, the order
of the group C(D) |
(see Section |
5.6.3). Say h = 2lho, |
where ho is odd. |
||
If f = a, b, c |
|
l 1 |
C(D), let F |
= f ho . Then either F |
= 1D, or one of |
F, F 2, F 4, . . . , F |
2 |
− |
has order 2 in the group. A reduced member of a class of |
||
order 2 is ambiguous (this is the definition), so knowing h and f , it is a simple matter to construct an ambiguous form. If the ambiguous form constructed corresponds to 1D or is (2, 2, (1 + n)/2) (in the case n ≡ 1 (mod 4)), then the factorization corresponding to our ambiguous form is trivial. Otherwise it is nontrivial.
So if the above scheme does not work with one choice of f in C(D), then presumably we could try again with another f . If we had a small set of generators of the class group, we could try anew with each generator and so factor n. (In fact, in this case, we would have enough ambiguous forms to find the complete prime factorization of n, by refining di erent factorizations through gcd’s.) If we did not have available a small set of generators, we might instead take random choices of f .
The principal hurdle in applying the scheme to factor n is not coming up with an appropriate f in C(D), but in coming up with the class number h. We can actually get by with less. All we need in the above idea is the order of f in the class group.
Now, forgetting this for a moment, and actually going for the full order h of the class group, one might think that since we actually have a formula for the order of this group, given by (5.3), we are home free. However, this formula involves an infinite sum, and it is not clear how many terms we have to take to get a good enough approximation to make the formula useful.